Legal claims defining the scope of protection, as filed with the USPTO.
1. A method comprising: providing a cluster of virtual network switches, the cluster of virtual network switches being coupled between a first network domain and a second network domain, wherein the cluster of virtual network switches is separate from the first and second network domains, and the second network domain is separate from the first network domain; providing a cluster of controllers coupled to the cluster of virtual network switches, the first network domain, and the second network domain; receiving at a first end point in the first network domain a request to make a connection to a second end point in the second network domain; determining if the connection should be provided through a virtual network connecting the first network domain with the second network domain; and if the connection should be provided through the virtual network, establishing a virtual network connection between the first end point and the second end point to transmit a payload from the first network domain to the second network domain, wherein the establishing comprises: initiating by the first end point, as allowed by a controller of the cluster of controllers, first traffic from the first network domain to a virtual network switch of the cluster of virtual network switches, the first traffic being allowed through a first firewall of the first network domain because the first traffic is outbound from the first network domain to the virtual network switch, the first traffic thereby being first outbound traffic; initiating by the second end point, as allowed by the controller, second traffic from the second network domain to the virtual network switch, the second traffic being allowed through a second firewall of the second network domain because the second traffic is outbound from the second network domain to the virtual network switch, the second traffic thereby being second outbound traffic; and placing by the virtual network switch the payload from the first outbound traffic established by the first end point into a reply to the second outbound traffic established by the second end point residing in the second network domain.
2. The method of claim 1 wherein the first end point, second end point, or both comprises an isolated virtual environment.
3. The method of claim 1 wherein the determining if the connection should be provided through the virtual network comprises: determining whether a destination address for the payload is listed in a static virtual routing table stored at the first end point, the static virtual routing table comprising a list of addresses for the second network domain; and if the destination address is listed in the static virtual routing table, seeking approval of the controller for the virtual network connection.
4. The method of claim 3 comprising: if the destination address is not listed in the static virtual routing table, forwarding the request to a local TCP/IP network inside the first network domain.
5. The method of claim 1 comprising: storing at the first end point a static virtual routing table comprising a list of destination addresses for the second network domain that the first end point is allowed to connect to through the virtual network.
6. The method of claim 5 comprising: upon discovery of a new end point, updating the static virtual routing table to include the new end point; and distributing the updated static virtual routing table to the first end point.
7. The method of claim 5 comprising: upon discovery of a deletion of an end point, updating the static virtual routing table to remove the deleted end point; and distributing the updated static virtual routing table to the first end point.
8. The method of claim 1 wherein the determining if the connection should be provided through the virtual network comprises: computing an identifier associated with an application program that is running in the first end point; comparing the identifier to a white list of authorized identifiers; and if the identifier is in the white list, determining that the connection is allowed to be provided through the virtual network.
9. The method of claim 1 wherein the determining if the connection should be provided through the virtual network comprises: computing an identifier associated with an application program that is running in the first end point; comparing the identifier to a black list of identifiers; and if the identifier is not in the black list, determining that the connection is allowed to be provided through the virtual network.
10. The method of claim 1 comprising: if the connection should not be provided through the virtual network, dropping the request.
11. The method of claim 1 wherein one of the first or second network domains comprises a private network domain, and another of the first or second network domains comprises a public network domain.
12. A method comprising: providing a cluster of virtual network switches, the cluster of virtual network switches being coupled between a first network domain and a second network domain, wherein the cluster of virtual network switches is separate from the first and second network domains, and the second network domain is separate from the first network domain; providing a cluster of controllers coupled to the cluster of virtual network switches, the first network domain, and the second network domain; storing a list identifying one or more specific application programs that are not allowed to use a virtual network connecting the first network domain with the second network domain; receiving at a first end point in the first network domain a request from a client component of an application program to make a connection to a server component of the application program, the server component of the application program being at a second end point in the second network domain; determining from the list if the application program is one of the one or more specific application programs that are not allowed to use the virtual network; if allowed, establishing for the application program a virtual network connection between the first end point and the second end point to transmit a payload from the first network domain to the second network domain, wherein the establishing comprises: initiating by the first end point, as allowed by a controller of the cluster of controllers, first traffic from the first network domain to a virtual network switch of the cluster of virtual network switches, the first traffic thereby being first outbound traffic from the first network domain; initiating by the second end point, as allowed by the controller, second traffic from the second network domain to the virtual network switch, the second traffic thereby being second outbound traffic from the second network domain; and placing the payload of the first outbound traffic coming from the first network domain into a reply to the second outbound traffic from the second network domain; and if not allowed, not establishing the virtual network connection.
13. The method of claim 12 wherein the first end point, second end point, or both comprises an isolated virtual environment.
14. The method of claim 12 comprising: if not allowed, dropping the request.
15. The method of claim 12 wherein one of the first or second network domains comprises a private network domain, and another of the first or second network domains comprises a public network domain.
16. A method comprising: providing a cluster of virtual network switches, the cluster of virtual network switches being coupled to a first network domain and a second network domain, wherein the cluster of virtual network switches is separate from the first and second network domains, and the second network domain is separate from the first network domain; providing a cluster of controllers coupled to the cluster of virtual network switches, the first network domain, and the second network domain; storing at a first end point in the first network domain a static routing table comprising a list of virtual destination Internet Protocol (IP) addresses; receiving at the first end point a request from a client to connect to a destination; scanning the static routing table to determine whether an IP address of the destination is listed in the static routing table; if the IP address is listed, seeking permission to use a virtual network connecting the first network domain to the second network domain, the destination being in the second network domain; and upon a determination that use of the virtual network is permitted, establishing for the client a virtual network connection between the first end point and the destination to transmit a payload of the client from the first network domain to the second network domain, wherein the establishing comprises: initiating by the first end point, as allowed by a controller of the cluster of controllers, first traffic from the first network domain to a virtual network switch of the cluster of virtual network switches, the first traffic thereby being first outbound traffic from the first network domain; initiating by the destination, as allowed by the controller, second traffic from the second network domain to the virtual network switch, the second traffic thereby being second outbound traffic from the second network domain; and placing the payload from the first network domain into a reply to the second outbound traffic from the second network domain.
17. The method of claim 16 comprising: if the IP address is not listed, dropping the request.
18. The method of claim 16 comprising: updating the static routing table; and distributing the updated static routing table to the first end point.
19. The method of claim 16 comprising: discovering a new end point; based on the discovery, updating the static routing table to include a virtual destination IP address associated with the new end point; and distributing the updated static routing table to first end point.
20. The method of claim 16 comprising: discovering a deletion of an end point; based on the discovery, updating the static routing table to remove a virtual destination IP address associated with the deleted end point; and distributing the updated static routing table to the first end point.
Unknown
July 18, 2017
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.